Wiz
Vulnerability DatabaseCVE-2025-22620

CVE-2025-22620
Rust vulnerability analysis and mitigation

Overview

gitoxide, an implementation of git written in Rust, contains a vulnerability (CVE-2025-22620) discovered in January 2025. The vulnerability affects versions prior to 0.17.0, where gix-worktree-state incorrectly sets file permissions when checking out executable files. The issue stems from the software specifying 0777 permissions during file checkout operations, with one of its permission-setting strategies bypassing the system's umask protection (GitHub Advisory).

Technical details

The vulnerability occurs in the checkout process where gix-worktree-state implements two strategies for handling executable files on Unix-like systems. While the first strategy correctly applies permissions subject to the umask when creating new files, the second strategy, used when files might already exist, incorrectly applies permissions by calling chmod with 0777 permissions, which bypasses umask restrictions. This results in files being set with world-writable permissions. The issue is particularly problematic when the checkout::Options::destination_is_initially_empty value is set to false, which is the default setting (GitHub Advisory).

Impact

The vulnerability can result in repository files becoming world-writable, potentially allowing any user account on the system to modify these files. This is particularly concerning in multi-user systems or when an account is used to run software with reduced privileges. The issue affects Unix-like systems but not Windows, and while the gix clone command is not affected due to checkout_exclusive's use of destination_is_initially_empty: true, the default false value for this parameter means many applications may be vulnerable (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in version 0.17.0 of gix-worktree-state. Users are advised to upgrade to this version or later to address the security issue. For systems that cannot be immediately updated, implementing restrictive ACLs or ensuring repositories are not accessible by untrusted users can help mitigate the risk (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22863CRITICAL9.2
  • RustRust
  • deno
NoYesJan 15, 2026
CVE-2026-23519HIGH8.9
  • RustRust
  • cmov
NoYesJan 15, 2026
RUSTSEC-2026-0003HIGH8.9
  • RustRust
  • cmov
NoYesJan 14, 2026
CVE-2026-22864HIGH8.1
  • RustRust
  • deno
NoYesJan 15, 2026
CVE-2026-22782LOW2.9
  • RustRust
  • rustfs
NoYesJan 16, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo